How to parse a string with special format into obj...

jvdev · ‎04-14-2022

Hi there,

I have trying to use spath to try to extract fields inside a string. Currently, the string has this format..

stringField=["fieldOne": "fieldValue", "fieldTwo": "fieldValue", "fieldThree": "fieldValue"]

So, my string inside has some kinda of array with key value pairs. I would to be able to extract those fields and values in a way that I can use their information for my queries.

I would like to be able to get the value of fieldOne by just calling the fieldOne variable/object to get it's value to perform my desire task/stats and so on..

I was trying something like... but no luck!

search... | spath input=stringField

search... | eval newVariable=spath(_raw,'stringField')

search... | spath

search... | spath path=stringField output=newField

The first option of just using input with the spath command only gave me back the first field inside my string. And it was listed as {} field.

I would really appreciate the help!

ITWhisperer · ‎04-15-2022

| eval stringField="{".trim(stringField,"[]")."}"
| spath input=stringField

How to parse a string with special format into objects or variables?

field extraction

fields

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation